Thycotic with SAML (okta) and MFA

[aaron.ellis]

Hello,

Has anyone gotten Thycotic integration to work when using SAML via okta with MFA?

[DevOma]

I checked the API documentation and can't see any differences to other login methods - but we never tried that in our environment...

[aaron.ellis]

I might open a ticket with thycotic about it.  Are you using the SOAP or rest api endpoints?  From the URLs I see in the samples it looks like SOAP.

[DevOma]

Yes currently we only use the SOAP interfaces

[aaron.ellis]

Did some tinkering,

First I had the webservice URL wrong, after correcting that and having it set to windows auth I can hit the browse button and I get the proper list of folders.  
If I hit the Sync button I get an Error Reading credentials error even thought Windows auth is picked and it is dimmed. 
   
Then if I go ahead and give it credentials and try to sync again I get a Reading data error about MaxRecievedMessageSize
   

[DevOma]

First issue is a bug - I noticed same last week when optimizing some other code - just set a cred it will not be used. It's fixed already for the next version

Second issue - goto Settings=>Thycotic - there you can set the MaxReceivedMessageSize to a bigger value - it's the default but in huge environments it is too small - try 500000 instead of 64k

[aaron.ellis]

That did it, I ended up adding another 0 on there, we have a few thousand passwords in our folder.  Probably needs some cleanup, but it is going.  Thank you.  So If I create a public folder like thi and only sync the names, if someone doesn;t ahve access it won;t give them the passwords right?

[DevOma]

Yes - if only names are synced every time you try to use the credential object will ASGRD retrieve the credential details from Thycotic - if the user has no access they won't be able to use these creds…